The Password Anti-Pattern and the Login Redirection Anti-Pattern

A few weeks ago, I wrote about about how web sites that manage your data should be more open in order to better protect you. Not so surprisingly, I’m not the only one thinking about this issue. Jeremy Keith has a fantastic detailed write-up regarding what he calls the “password anti-pattern.” It gets at the same fundamental issue I was talking about, but with more interesting detail. It lays out the problem concisely and clearly: [Asking for gmail passwords from your users] teaches people how to be phished. And it mentions OAuth, an effort I only recently learned about, which … Continue reading The Password Anti-Pattern and the Login Redirection Anti-Pattern

Facebook Platform: bad login practices, OpenID doesn’t work

Facebook launched a platform that lets third-party developers add Facebook applications. This is visionary, and it’s very very cool (though I’m not sure it’s the revolution everyone is talking about.) The problem, of course, is authentication. Take a look at the Zoho Facebook application. Zoho is a separate company. They have their own accounts. So now they have to associate an existing Facebook account with an existing Zoho account. The only way they can do this currently is to ask for the Zoho password from within the Zoho Facebook application, which is served from facebook.com. So now verifying the URL … Continue reading Facebook Platform: bad login practices, OpenID doesn’t work

BeamAuth: Two-Factor Web Authentication with a Bookmark.

(There’s always a dilemma between “publishing soon” and “polishing for peer review.” This is my first attempt at blog-based collaborative peer-review. Let’s see how it goes!) The Problem Phishing is a serious issue, and it’s only getting worse. Through various means, Alice ends up at a spoofed web site she thinks she recognizes (usually her bank). She inevitably ends up providing her login credentials, which the attacker can then use to perform (malicious) actions on Alice’s behalf. Theoretically, assuming Alice’s browser is relatively secure, she could check the URL and the SSL certificate and defend against these kinds of attack. … Continue reading BeamAuth: Two-Factor Web Authentication with a Bookmark.

2007: Controlled End-User Web APIs for Private-Data Mashups

As far as technology goes, 2007 will be about web security. With everyone storing more and more personal data on various web sites, and with the continuing innovation of mash-ups, it’s inevitable. And it won’t be the web security issues of the last few years, either, it will all be about how to do private-data mash-ups securely. Case in Point: Google just patched a serious security problem that allowed an Evil Web Site (EWS) to access your gmail contact list, as long as you were logged into gmail and you simply visited the EWS. The root cause: Google wanted one … Continue reading 2007: Controlled End-User Web APIs for Private-Data Mashups

The Clooney Attack

George Clooney is upset at the Gawker Stalker web site for tracking celebrities by collecting information from the public. Clooney suggests Data Poisoning their site by submitting hundreds of bogus celebrity sighting reports. I’m a big fan of Clooney’s latest films, but I didn’t realize he was this savvy about the Internet: its greatest strength — anyone can contribute — is also its greatest weakness. This is a perfect way to fight for privacy without over-legislating. Go George. Continue reading The Clooney Attack

My First Podcast – on Digital Identity

A few weeks ago, I attended Berkman’s Digital Identity gathering where we discussed the technical, legal, and business aspects of the Identity Metasystem, this new, meta approach to online identity promoted by Kim Cameron of Microsoft. I need to write up my thoughts in greater detail, but in the meantime, Aldo Castaneda interviewed me and posted the podcast. Enjoy. Continue reading My First Podcast – on Digital Identity